Facebook denies abuse of user privacy after report it shared info without consent

Facebook denies privacy abuse in device sharing

Author:
Mike Snider, USA TODAY

Published:
7:23 AM CDT June 4, 2018

Updated:
10:50 AM CDT June 4, 2018

Facebook CEO Mark Zuckerberg testifies before the House Energy and Commerce Committee in Washington on April 11, 2018.

Jack Gruber, USA TODAY

Facebook potentially has another privacy problem.

The social networking giant allowed companies such as Apple and Samsung access to Facebook users' friends without explicit consent, according to a report in The New York Times, which cited Facebook documents, interviews and its own tests. If that turns out to be the case, the action could be a violation of a 2011 consent decree Facebook reached with the Federal Trade Commission.

Facebook allowed makers of mobile devices — including Apple, Amazon, BlackBerry, Microsoft and Samsung — access to data of Facebook users' friends without explicit consent, according to the report. Some device makers could get information from users’ friends who thought they had prohibited any sharing, The Times found in doing tests of data sharing.

Facebook is denying it violated users' privacy.

"These partners signed agreements that prevented people’s Facebook information from being used for any other purpose than to recreate Facebook-like experiences," Facebook's vice president of product partnerships Ime Archibong said in a post on the company's blog Monday.

Facebook said the device partnerships included strict limits on the use of data, including any stored on partners’ servers. Facebook executives said there were no known cases of data misuse.

"Partners could not integrate the user’s Facebook features with their devices without the user’s permission. And our partnership and engineering teams approved the Facebook experiences these companies built," Archibong wrote.

"Contrary to claims by the New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends. We are not aware of any abuse by these companies."

The newspaper report said the agreements, numbering as many as 60 and struck as far back as a decade ago, were made before smartphones became powerful enough to run fully-fledged apps such as those running on devices today. Under the agreements, Facebook worked with the companies to create private application programming interfaces (APIs) so that devices could let users access popular Facebook features such as messaging, “like” buttons and address books, The Times says.

But some device partners could get Facebook users’ relationship status, religion, political leaning and upcoming events, among other data, The Times says.

Facebook announced in April that it was "winding down access" to APIs, Archibong says.

These device partnerships were a concern inside of Facebook, according to Sandy Parakilas, who in 2012 oversaw Facebook's third-party advertising and privacy compliance.“This was flagged internally as a privacy issue,” Parakilas told The Times. He left the company that year.

“It is shocking that this practice may still continue six years later, and it appears to contradict Facebook’s testimony to Congress that all friend permissions were disabled.”

The device partnerships were touched on in documents Facebook submitted to German lawmakers who are looking into the company's privacy measures.

“What we have been trying to determine is whether Facebook has knowingly handed over user data elsewhere without explicit consent,” German parliament member Elisabeth Winkelmeier-Becker told The Times. She is among those who questioned Joel Kaplan, Facebook’s vice president for global public policy, during a closed-door hearing in April.

“I would never have imagined that this might even be happening secretly via deals with device makers," she said.

The FTC is investigating whether Facebook has violated a consent decree that barred it from making misrepresentations about the privacy or security of consumers' personal information and required it to ask users before any changes that overrode privacy preferences. The agreement also prevented Facebook from letting anyone access users' information more than 30 days after a user deleted their account.

The agency began the investigation after Facebook disclosed 87 million users had their data improperly obtained by U.K.-based Cambridge Analytica after the political firm got a collection of data from University of Cambridge researcher Aleksandr Kogan, whose personality quiz app had gleaned information on 270,000 Facebook users and tens of millions of their friends.

Bub based on The Times report, "sure looks like Zuckerberg lied to Congress about whether users have 'complete control' over who sees our data on Facebook," Rep. David Cicilline, D-R.I., tweeted Monday. "This needs to be investigated and the people responsible need to be held accountable."

Sure looks like Zuckerberg lied to Congress about whether users have “complete control” over who sees our data on Facebook. This needs to be investigated and the people responsible need to be held accountable. https://t.co/rshBsxy32G

During his April 10 testimony before the Senate Commerce and Judiciary committees, Mark Zuckerberg said, "Every piece of content that you share on Facebook, you own and you have complete control over who sees it and — and how you share it, and you can remove it at any time."

The month before, Zuckerberg took out advertisements in The Times, The Wall Street Journal, The Washington Post and six British papers calling the Cambridge Analytica data misuse "a breach of trust, and I'm sorry we didn't do more at the time. ... We have a responsibility to protect your information. If we can't, we don't deserve it."